Original source ref:
http://pridels.blogspot.com/2006/06/imgallery-vuln.html
various vdb's are mentioning "galerie.php", but r0t said - and I
confirmed via the product download - that it's "galeria.php".
> find IMGallery | grep galer
IMGallery/galeria.php
and while we're at it:
$start = $_GET['start'];
...
$pobieranie = mysql_query ("SELECT * FROM galeria WHERE kategoria LIKE '$kategoria' AND album LIKE '$album' AND opis LIKE '%$fraza%' AND hidden = '' AND verified = 'T' ORDER BY $sort DESC LIMIT $start,$limit");
so exploitation might be limited per Bill Heinbockel's previous
comments, but there's injection of something.
Regarding the sort parameter - the first reference of "sort" in
galeria.php is in the mysql_query() call above. There are a whole lot
of include files, including wyszukiwarka.php, which has:
$sort = $_GET['sort'];
Oh - and if you're asking yourself about the other variables mentioned
in the query above, the answer is "looks like it but I didn't take the
time to prove it."
- Steve